Trivially read any file on the remote system by exploiting these cgi scripts
bryan berg <km@UNDERWORLD.NET>
remotely read any httpd-readable file on the remote system
Those running vulnerable versions of the PHP distribution.
19 October 1997
Date: Sun, 19 Oct 1997 20:38:40 -0400
From: bryan berg <km@UNDERWORLD.NET>
Subject: Vulnerability in PHP Example Logging Scripts
Whilst perusing various things included with the PHP distribution, I
noticed that there was a gaping security hole in a few of the example
scripts, specifically mlog.html and mylog.html, which allow any remote user
to read any arbitrary file on the system. (which is readable to the user
that httpd and thus PHP are running as) To top it all off, this exploit is
really easy to accomplish.
The problem lies in the line:
in both mlog.html and mylog.html. The idea is to include a file for each
type of logging stats, however, there is no escaping of slashes, so one can
specify any file on the system.
The exploit for dummies:
qualified path to any file on the system]
useful files to see are /etc/hosts.allow, /etc/passwd (for unshadowed
systems..) and just about anything else.
insert the line
just before the <?include... line.
This problem exists in the most current distribution of PHP; I'm willing to
bet that it's been around for a while. Hopefully, it will be officially
fixed soon... ;)
bryan berg % firstname.lastname@example.org % http://www.underworld.net/~km/
system administrator, the underworld project
"i was blessed with a birth and a death and i guess
i just want some say in between" -- ani difranco
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: